open source · self-hosted · one binary

Your own residential proxy pool.

Run a tiny agent on devices you already own. They dial out to your hub; you point an app at one address and each request leaves through one of your devices, on its ordinary home IP.

For scraping, testing geo-locked sites, or any job that needs a real home IP you control, not a rented datacenter one.

PC PI BOX VPS PHONE HUB

Why_

Building a proxy pool from your own devices used to mean gluing a stack of tools together. warren is that stack as one binary.

The usual stack

  • + a mesh VPN (Tailscale / Headscale) for NAT traversal
  • + a proxy on every device (3proxy / gost)
  • + a rotator in front (Rota and friends)
  • + glue scripts to wire and sync it all
  • + tap "allow VPN" on every phone, by hand
>>

warren

  • > devices dial out: no mesh VPN, no port-forward
  • > the one binary is the proxy and the rotator
  • > install once, it joins the pool, done
  • > approve a new device from the web dashboard
  • > no third party, no bandwidth marketplace

How it works_

Three moving parts, and the devices never accept a connection.

Devices dial out

Each device keeps one outbound link to the hub. Nothing listens on it, so home routers and CGNAT are fine.

The hub is the door

Your app hits the hub's proxy (HTTP or SOCKS5, with a login). The hub picks a healthy device and retries another if one drops.

The device requests

It connects to the site from its own network, so the site sees its home IP. For HTTPS the hub only relays encrypted bytes.

What you get_

One endpoint, a pool of devices Automatic, health-aware failover across everything you own, or pin one device by name.
HTTP CONNECT, plain HTTP, SOCKS5 All on one port, with username and password auth. UDP too, via SOCKS5 UDP ASSOCIATE (DNS, QUIC, WebRTC).
Live web dashboard Add devices, approve them, copy ready-to-run install commands.
Encrypted device link TLS on by default; the device pins the hub's key. No shared secret on the wire.
Runs anywhere Linux, macOS, Windows, and tiny ARM boxes at a couple of watts.
One static binary No runtime, no database server. State is a single local file.

Yours, end to end: warren only uses devices you own and control. No selling bandwidth, no strangers' traffic on your IPs, no marketplace.

Get started_

Two steps. No secrets to invent: the hub generates the login and token, turns on TLS, and prints a one-paste join code.

01on a server: install warren and start the hub

curl -fsSL https://raw.githubusercontent.com/doedja/warren/main/install.sh | sh && warren hub --public-node-addr SERVER:7000

It prints a proxy login, an enroll token, the TLS fingerprint, and a join code. It listens on :7000 for devices and :8000 for the proxy.

02on each device you own: paste the join code

Linux / macOS:

curl -fsSL https://raw.githubusercontent.com/doedja/warren/main/install.sh | sh -s -- --join warren1.aGVsbG8...

Windows (elevated PowerShell):

& ([scriptblock]::Create((irm https://raw.githubusercontent.com/doedja/warren/main/install.ps1))) -Join warren1.aGVsbG8...

The code carries the address, token, TLS, and fingerprint, so there are no flags to fill in. The dashboard hands you the right line per OS.

That is the setup. Now point any app at the proxy with the printed login:

curl -x http://warren:PASSWORD@SERVER:8000 https://api.ipify.org

Plain user picks any healthy device. Add a device's name to pin one, like an exit node:

curl -x http://warren+phone:PASSWORD@SERVER:8000 https://api.ipify.org

For a localhost-only hub, add --no-tls. A spare Android phone works too, via Termux. Full docs and prebuilt binaries on GitHub.